Four...a workstation I'm pretty sure it started on, and then the two file servers it had mapped drives two, and the backup file server that one of the fileservers was mapped to.

The mapped drives aren't infected, they are just encrypted directories.

Maybe I'm misunderstanding you, but the servers are, in fact, showing they are encrypted, so am I right in thinking that we should be "contained" now via my earlier post?

Cryptowall doesn't "spread" in a normal sense, it runs out of the %appdata% directory of an infected system, when it starts running, its task is to encrypt locally available directories. It'll crawl through C: D: F: G: Z: or whatever else you have mapped, but the virus itself will stay in the infected workstation or server. So what I'm saying is the virus itself hasn't spread, so you don't have to worry about it being IN the servers or being IN other workstations.

From the server that's getting borked, you can open up command prompt and type in "openfiles", which will tell you what file is being accessed and by who. CryptoWall works alphabetically, so the file AFTER the last infection that's being messed with, will have the user and the session on it.

From the server that's getting borked, you can open up command prompt and type in "openfiles", which will tell you what file is being accessed and by who. CryptoWall works alphabetically, so the file AFTER the last infection that's being messed with, will have the user and the session on it.

It's a file server though, and everyone is here and working in it, so it has TONS of files open. How do I tell what's what, when everything looks legit from what I see?

Erik, hundreds of spiceheads are stepping their end-users through Kevin Mitnick security awareness training to prevent ransomware infections like this. Once the emergency is over, ping me and I will send you a quote for your organization. see the reviews at the tab.

the DECRYPT_HELP file, right click it and open properties. Go over to "Security" and under "permissions for SYSTEM" click advanced. It'll tell you who the author is, the author is the infected system.

^^ DO THIS ^^Quit wasting time reading other suggestions. This is the solution to finding the offending workstation.Disconnect it and turn-off the Wireless if it is a laptop, too!You do not need to nuke the workstation or the server.

Honestly, i love the nuke and re-image (not needed) advice that comes up on these threads. Love the don't pay the ransom if you don't have backups advice (no one is going to fall on their sword and go out of business for the better good of us all, and a re-image doesn't matter, just wasted time. The virus is clearly understood. Why would it re-infect? You paid the ransom and learned and started backups, they'd get no repeat customers.)

Also, ransom has been as high as 1k recently, so it's not always a quick $300. Most of us don't have bitcoin wallets, and CC transactions with low caps and delays before credit is applied means most of us are going to be seeking out cash for bitcoins from local sellers which are hard to find. At least you get to feel like a secret agent in a hostage exchange?

The new versions also closed the loopholes where you could snag credit from someone elses ransom. Even disconnecting it from the network after it's done/close to done doesn't matter. Honestly, it's easier to restore whole toplevel shares than it is just parts of subfolders. I can do a whole file server restore in like an hour. Took me three hours to do restores to just parts of shares, mainly finding out what's been affected. My backups take hourlies though during work days, so if you had to roll a whole share back 3 days i guess people would be mad.

This has become so common, i still can't believe i have customers fighting real backup solutions besides rotating flash drives. We even had two customers hit with two ransomwares at a time...legit had to pay one ransom, unencrypt, access directions for first infection, unencrypt THAT.

It's amazing to me this hasn't fizzled with people running for the hills buying backup solutions like milk and bread (and ammo) before a hurricane. It's not pretend costs like "well if you don't protect yourself, you could be hit with a private information breach lawsuit or fine." It's a direct "pay this or you can't work" expense that even SMB owners realize.

Good luck, i hope you have backups, otherwise make sure you get paid overtime to meet the guy at the truckstop to exchange cash for btc.

the DECRYPT_HELP file, right click it and open properties. Go over to "Security" and under "permissions for SYSTEM" click advanced. It'll tell you who the author is, the author is the infected system.

^^ DO THIS ^^Quit wasting time reading other suggestions. This is the solution to finding the offending workstation.Disconnect it and turn-off the Wireless if it is a laptop, too!You do not need to nuke the workstation or the server.

So, I think I may have figured out the offending machine. I've got all machines I've found unplugged from the network, but if I'm thinking correct, doesn't it just affect machines in this order:

1. initial pc who installed it unknowingly2. any network shares it has on the computer

And that's it? I don't think I read that it crawls the network in any way besides that, so if I can contain those machines, my collatoral damage would be minimized to those machines?

Also, our backups were infected as well, since it's a file-server, and the files were backed up to an offsite server using a mapped drive. So, backups are screwed. I don't see any way around this other than paying the ransom. This royally sucks.